awslabs · sbkok · Nov 11, 2021 · Mar 31, 2021 · Mar 31, 2021 · Mar 31, 2021
diff --git a/src/template.yml b/src/template.yml
@@ -73,20 +73,21 @@ Resources:
               StringEquals:
                 aws:PrincipalOrgID: !GetAtt Organization.OrganizationId
             Resource:
-              - !Sub arn:${AWS::Partition}:s3:::${BootstrapTemplatesBucket}
-              - !Sub arn:${AWS::Partition}:s3:::${BootstrapTemplatesBucket}/*
+              - !GetAtt BootstrapTemplatesBucket.Arn
+              - !Sub "${BootstrapTemplatesBucket.Arn}/*"
             Principal:
               AWS: "*"
           - Action:
               - s3:PutObject*
             Effect: Allow
             Resource:
-              - !Sub arn:${AWS::Partition}:s3:::${BootstrapTemplatesBucket}
-              - !Sub arn:${AWS::Partition}:s3:::${BootstrapTemplatesBucket}/*
+              - !GetAtt BootstrapTemplatesBucket.Arn
+              - !Sub "${BootstrapTemplatesBucket.Arn}/*"
             Principal:
               AWS: !Ref AWS::AccountId
   BootstrapArtifactStorageBucket:
     DeletionPolicy: Retain
+    UpdateReplacePolicy: Retain
     Type: AWS::S3::Bucket
     Properties:
       AccessControl: BucketOwnerFullControl
@@ -104,6 +105,7 @@ Resources:
   BootstrapTemplatesBucket:
     Type: "AWS::S3::Bucket"
     DeletionPolicy: Retain
+    UpdateReplacePolicy: Retain
     Properties:
       AccessControl: BucketOwnerFullControl
       BucketEncryption:
@@ -177,10 +179,8 @@ Resources:
             Resource: !GetAtt BootstrapTemplatesBucket.Arn
           - Effect: "Allow"
             Action: "s3:GetObject"
-            Resource: !Join
-              - ""
-              - - !GetAtt BootstrapTemplatesBucket.Arn
-                - "/*"
+            Resource:
+              !Sub "${BootstrapTemplatesBucket.Arn}/*"
       Roles:
         - !Ref LambdaRole
   StackWaiterFunction:
@@ -346,7 +346,6 @@ Resources:
               - "codecommit:List*"
               - "codecommit:CancelUploadArchive"
               - "codecommit:UploadArchive"
-              - "s3:Get"
             Resource: "*"
       Roles:
         - !Ref CodeCommitRole
@@ -436,16 +435,18 @@ Resources:
               - "s3:ListBucket"
               - "s3:PutObject"
             Resource:
-              - !Sub "arn:${AWS::Partition}:s3:::serverlessrepo-aws-deplo-bootstraptemplatesbucket-*"
-              - !Sub "arn:${AWS::Partition}:s3:::serverlessrepo-aws-deplo-bootstraptemplatesbucket-*/*"
+              - !GetAtt "BootstrapTemplatesBucket.Arn"
+              - !Sub "${BootstrapTemplatesBucket.Arn}/*"
               - !GetAtt BootstrapArtifactStorageBucket.Arn
               - !Sub "${BootstrapArtifactStorageBucket.Arn}/*"
-              - !Sub "arn:${AWS::Partition}:s3:::adf-shared-modules-*-*"
-              - !Sub "arn:${AWS::Partition}:s3:::adf-shared-modules-*-*/*"
+              - !Sub "arn:${AWS::Partition}:s3:::${SharedModulesBucket.BucketName}"
+              - !Sub "arn:${AWS::Partition}:s3:::${SharedModulesBucket.BucketName}/*"
           - Effect: "Allow"
             Action:
               - "codebuild:*"
             Resource:
+              # Hardcoded name (instead of !GetAtt CodeBuildProject.Arn)to avoid a circular dependency.
+              # Converting this to an inline policy can break the circle
               - !Sub "arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/aws-deployment-framework-base-templates"
           - Effect: "Allow"
             Action:
@@ -478,7 +479,7 @@ Resources:
           - Name: ADF_VERSION
             Value: !FindInMap ["Metadata", "ADF", "Version"]
           - Name: TERMINATION_PROTECTION
-            Value: false
+            Value: "false"
           - Name: PYTHONPATH
             Value: "./adf-build/shared/python"
           - Name: S3_BUCKET
@@ -495,7 +496,7 @@ Resources:
       Name: "aws-deployment-framework-base-templates"
       ServiceRole: !Ref CodeBuildRole
       Source:
-        BuildSpec: !Sub |
+        BuildSpec: |
           version: 0.2
           phases:
             install:
@@ -538,7 +539,7 @@ Resources:
                 - Name: "TemplateSource"
               Configuration:
                 BranchName: "master"
-                RepositoryName: "aws-deployment-framework-bootstrap"
+                RepositoryName: !GetAtt CodeCommitRepository.Name
                 PollForSourceChanges: false
               RunOrder: 1
         - Name: UploadAndUpdateBaseStacks
@@ -888,10 +889,13 @@ Resources:
                 - s3:PutEncryptionConfiguration
                 - s3:PutBucketPolicy
                 - s3:PutBucketPublicAccessBlock
+              # This must match BucketNamePrefix of the SharedModulesBucket resource
               Resource: !Sub "arn:${AWS::Partition}:s3:::adf-shared-modules-*"
             - Effect: Allow
               Action: ssm:GetParameter
               Resource:
+                # Hardcoded name (instead of ${SharedModulesBucketName})to avoid a circular dependency.
+                # Converting this to an inline policy can break the circle
                 - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/shared_modules_bucket"
                 - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/deployment_account_region"
       FunctionName: CrossRegionBucketHandler
@@ -1005,7 +1009,7 @@ Resources:
         detail-type:
           - "CodeCommit Repository State Change"
         resources:
-          - !Sub "arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${CodeCommitRepository.Name}"
+          - !GetAtt CodeCommitRepository.Arn
         detail:
           event:
             - referenceCreated